• For the Driver
  • Refrigerated Transporter
  • HD Pickup & Van
  • Social Media
  • Subscribe
  • In Print
    • 151660973 | Wutthichai Luemuang | Dreamstime.com
    67893c367b6813f4ba365a49 Dreamstime L 151660973
    1. Perspectives
    2. IdeaXchange

    Securing Windows Server OS

    Jan. 21, 2025
    Here are specific steps and tools for trucking companies to harden their Windows Server operating systems against cyberattacks.

    Securing Windows Server operating system requires a proactive and comprehensive approach.

    Let us start with a simple, yet vital requirement: Patch, patch, and then patch again. One of the most critical security controls for the Windows Server operating system, regardless of specific version, is to deploy all relevant security patches. Below we will discuss additional specific steps that will further harden the Windows Server OS against cyberattacks, but running unpatched or outdated operating systems will undermine even the most diligent hardening efforts.

    The next critical step is to ensure your Windows Server deployments align with the service and support life cycle for each specific OS version. Microsoft publishes these relevant dates at the Windows Server Support Lifecycle.

    It is vital for those who oversee IT and security at a trucking company, no matter the size, to track these dates and work them into a deployment life cycle. It’s imperative that production servers are only running supported operating systems that are still receiving regular security updates.

    A quick search online for “Windows Server hardening” will yield thousands of results, but how does one determine which controls are relevant, and which to prioritize?

    The Center for Internet Security provides a free security benchmark for each operating system. This document is an excellent resource when scoping your organization’s hardening checklist. These controls can be broken down into several groupings, each with a different focus, including account policies, local policies, software restriction policies, and advanced audit policy configuration as well as many others. This document can be a bit intimidating for a first-time user, as it comes in at over 1,100 pages (Server 2022). However, there are a few key concepts to remember when hardening servers at your operation:

    • If it is not a critical service, disable it.
    • If it can be audited, configure auditing.
    • If there is a more secure option and a less secure option, enable the more secure option.
    • Data at rest should be encrypted.
    • Adhere to least privilege for all types of access to your servers.

    See also: NMFTA releases 2025 Trucking Cybersecurity Trends Report

    Another resource that will provide significant assistance in creating a hardened baseline is the Microsoft Security Compliance Toolkit.

    There are many commercial endpoint detection and response or extended endpoint detection and response offerings, as well as open-source audit tools that can assist with identifying misconfigurations, or areas that can be further hardened. As soon as an organization has developed a secure baseline, it is critical that this is used as the basis for future deployments to ensure uniformity and compliance without requiring manual configuration of every deployment, which is not feasible in most enterprises.

    As important as creating a secure baseline is, maintaining your server’s security once deployed is equally critical. It is all too easy for unused accounts to be left active when no longer needed. Ensure that you limit administrative accounts to the minimum required for proper maintenance and ensure that accounts no longer required are terminated.

    Periodically review configurations against secure baselines and correct any misconfigurations discovered. Confirm that any software or agents are kept up to date and are removed promptly when no longer required. Outdated integrations and software can unnecessarily increase the attack surface present on your servers.

    Physical server location for on-prem servers and logical segmentation of both on-prem and cloud-hosted servers is crucial, ensuring that access to both the underlying hardware and administrative access to the operating system is limited.

    While we’re on the topic of administrative access, ensure that you deploy a multi-factor authentication solution for all logins, particularly remote logins to your servers, and do not expose remote desktop protocol access to the public internet. Remote access to your servers should at the very least require authentication to a corporate virtual private network (VPN) prior to connection with the server asset.

    Firewall rules controlling connections to and from your servers should be configured strictly, and all user access should adhere to the principle of least privilege, providing access to only those who absolutely require it. All connections to and from your servers must be carefully monitored, with close attention paid to any failed logins or atypical patterns of access, even from legitimate accounts.

    In conclusion, regular patching, adherence to life cycle support, and leveraging resources like the CIS benchmarks and Microsoft Security Compliance Toolkit are foundational. By disabling unnecessary services, enforcing least privilege, encrypting data, and maintaining secure baselines, organizations can significantly reduce vulnerabilities. Continuous monitoring, periodic reviews, and strict access controls, including MFA and VPNs, ensure ongoing protection.

    Remember, hardening is not a one-time effort but an ongoing commitment to safeguarding your servers and data from evolving threats. By following these principles, you establish a resilient foundation for your organization’s security posture.

    About the Author

    Ben Wilkens

    Ben Wilkens, CISSP, CISM, is a cybersecurity principal engineer at the National Motor Freight Traffic Association. In his role at NMFTA, Ben spearheads research initiatives and leads teams dedicated to developing cybersecurity technologies, methodologies, and strategies to safeguard information systems and networks. He collaborates with academic institutions, industry partners, and government agencies to advance cybersecurity practices and knowledge.

    Voice your opinion!

    To join the conversation, and become an exclusive member of FleetOwner, create an account today!

    Continue Reading

    Sponsored Recommendations

    How to Maximize Fleet Management with Vehicle Bypass

    Join us on February 18th to discover how vehicle bypassing can improve fleet safety, boost efficiency, and enhance driver satisfaction while saving time and money.

    Optimizing your fleet safety program using AI

    Learn how AI supports fleet safety programs with tools for compliance monitoring, driver coaching and incident analysis to reduce risks and improve efficiency.

    Mitigate Risk with Data from Route Scores

    Route Scores help fleets navigate the risk factors they encounter in the lanes they travel, helping to keep costs down.

    Uniting for Bold Solutions to Tackle Transportation’s Biggest Challenges

    Over 300 leaders in transportation, logistics, and distribution gathered at Ignite 2024. From new products to innovative solutions, Ignite highlighted the importance of strong...